b'              CERTIFICATION OF THE DEFENSE\n             CIVILIAN PERSONNEL DATA SYSTEM\n\n\nReport No. D-2001-137                          June 7, 2001\n\n\n\n\n             Office of the Inspector General\n                 Department of Defense\n\x0c  Additional Copies\n\n  To obtain additional copies of this audit report, visit the Inspector General, DoD,\n  Home Page at: www.dodig.osd.mil or contact the Secondary Reports\n  Distribution Unit of the Audit Followup and Technical Support Directorate at\n  (703) 604-8937 (DSN 664-8937) or fax (703) 604-8932.\n\n  Suggestions for Future Audits\n\n  To suggest ideas for or to request future audits, contact the Audit Followup and\n  Technical Support Directorate at (703) 604-8940 (DSN 664-8940) or\n  fax (703) 604-8932. Ideas and requests can also be mailed to:\n\n                    OAIG-AUD (ATTN: AFTS Audit Suggestions)\n                     Inspector General, Department of Defense\n                        400 Army Navy Drive (Room 801)\n                            Arlington, VA 22202-2885\n\n  Defense Hotline\n\n  To report fraud, waste, or abuse, contact the Defense Hotline by calling\n  (800) 424-9098; by sending an electronic message to Hotline@dodig.osd.mil; or\n  by writing to the Defense Hotline, The Pentagon, Washington, DC 20301-1900.\n  The identity of each writer and caller is fully protected.\n\n\n\n\nAcronyms\nADM                   Acquisition Decision Memorandum\nCIO                   Chief Information Officer\nCCA                   Clinger-Cohen Act\nCPMS                  Civilian Personnel Management Service\nDCPDS                 Defense Civilian Personnel Data System\nGAO                   General Accounting Office\nIPT                   Integrated Product Team\nIT                    Information Technology\nMDA                   Milestone Decision Authority\n\x0c\x0c                         Office of the Inspector General, DoD\n\nReport No. D-2001-137                                                      June 7, 2001\n  (Project No. D-2000AS-0212)\n\n                            Certification of the Defense\n                           Civilian Personnel Data System\n\n                                 Executive Summary\n\nIntroduction. The Clinger-Cohen Act mandated changes to the way DoD selects and\nmanages information technology resources and emphasized that information technology\nwas an enabler of business process reengineering. The Chief Information Officer, DoD,\noversees all DoD information technology investments. To help ensure effective oversight\nof DoD information technology investments, Congress included Section 8121(b) in the\nFY 2000 DoD Appropriations Act. This act required the Chief Information Officer, DoD,\nto certify, prior to Milestone I, II, or III approval, that major automated information\nsystems were being developed in accordance with the Clinger-Cohen Act. Section 8121(b)\nalso required the Chief Information Officer, DoD, to inform Congress of the certifications\nand to provide confirmation that DoD Components took certain steps with respect to the\nsystem certification, to include business process reengineering, analysis of alternatives,\neconomic analysis, performance measures, and an information assurance strategy. This\naudit was the first in a series of planned audits of information systems that were certified\nby DoD as being compliant with the Clinger-Cohen Act.\n\nDoD authorized the development of the modern Defense Civilian Personnel Data System\nin December 1994 to support the regionalization of civilian personnel operations, which\nincluded workforce reduction. DoD planned to concurrently field the Defense Civilian\nPersonnel Data System modernization and complete regionalization by December 1998.\nDoD completed regionalization by June 1999, but, as of May 2001, full-scale deployment\nof Defense Civilian Personnel Data System had occurred at only 5 of the 26 proposed\nsites. Of the remaining 21 sites, program officials expanded testing at 6 of the sites and\nplanned to complete deployment for 15 sites by September 2001, almost two years after\nthe completion of reengineering. On May 10, 2000, the Chief Information Officer, DoD,\ncertified that the Defense Civilian Personnel Data System was being developed in\naccordance with the Clinger-Cohen Act.\n\nObjectives. The audit objective was to determine whether DoD oversight processes and\nprocedures provided the Chief Information Officer, DoD, sufficient basis to certify that\nthe Defense Civilian Personnel Data System was managed in accordance with the\nClinger-Cohen Act. In subsequent reports, we will evaluate the basis for certification of\nother systems, assess DoD progress in implementing the Clinger-Cohen Act, and review\nrelated management controls.\n\nResults. The Chief Information Officer, DoD, did not have sufficient basis to certify,\nwithout qualification, that the Defense Civilian Personnel Data System had been developed\nin accordance with the Clinger-Cohen Act. Specifically, the Chief Information Officer,\nDoD, lacked sufficient basis for unconditional certification because previously identified\nClinger-Cohen compliance issues were not fully resolved or recognized, relevant data\nwere not adequately analyzed, and key acquisition documents either were not prepared or\n\x0cwere not prepared and approved in a timely manner. Additionally, milestone exit criteria\nwere not well defined or sufficiently tracked and enforced. Further, DoD oversight did\nnot include specific criteria or a commonly defined approach for evaluating the basis for\nClinger-Cohen certification. As a result, the certification requirement was not an effective\nmeans for ensuring Defense Civilian Personnel Data System compliance with the\nClinger-Cohen Act. The DoD is continuing to refine its information technology\nacquisition review processes and needs to consider the lessons learned from its initial\nexperiences in section 8121(b) implementation, which includes the need for better\nguidance and oversight.\n\nSummary of Recommendations. We recommend that the Chief Information Officer,\nDoD, clarify and enhance the methodology for determining Clinger-Cohen compliance;\nimprove information technology oversight processes by periodically confirming the\naccuracy and adequacy of information reported by DoD Components; coordinate with the\nCivilian Personnel Management Service to implement common DoD-wide performance\nmeasures; and continue oversight of post-development Defense Civilian Personnel Data\nSystem program activities. We also recommend that the Director, Civilian Personnel\nManagement Service, reassess system interfaces and enhance user guidance to ensure that\nthe information assurance posture of the system is appropriate.\n\nManagement Comments. Management commented that we inappropriately describe\npreviously identified issues as Clinger-Cohen Act compliance issues because associated\ndecisions were made before the Act was legislated. The Acting Deputy Assistant\nSecretary of Defense (Deputy Chief Information Officer) concurred with the\nrecommendations to clarify and strengthen the certification criteria and processes used by\nthe Chief Information Officer and the DoD Components to determine whether major\nautomated information systems are developed in accordance with the Clinger-Cohen Act.\nHowever, the Deputy Assistant Secretary nonconcurred with the draft recommendation to\nimplement standardized functional performance measures because implementation is a\nresponsibility of the system owner. Additionally, the Acting Assistant Secretary of\nDefense (Force Management Policy) and the Director, Civilian Personnel Management\nService, jointly indicated nonconcurrence with both recommendations on information\nassurance stating that all system interfaces were appropriately secured and processes\ndocumented, and that the related recommendations should be removed.\n\nAudit Response. We recognize that the basis for some issues predates the passage of the\nClinger-Cohen Act in 1996, but the concepts mandated by the Act were not new to DoD.\nSimilar Office of Management and Budget and DoD policy and requirements existed prior\nto the enactment of Clinger-Cohen and were fully applicable to Defense Civilian Personnel\nData System program decisions made before and after the enactment of Clinger-Cohen.\nAlthough the Acting Deputy Assistant Secretary (Deputy Chief Information Officer)\nconcurred with most recommendations, the comments were partially responsive. We\nasked for additional comments on the development of an action plan for enhancing Chief\nInformation Officer oversight and completion dates for the recommendations. We also\nrevised Recommendation 1.c. on implementing performance measures to more\nappropriately focus on the role of oversight. Based on the comments of the Director,\nCivilian Personnel Management Service, we revised both recommendations related to\ninformation assurance. We revised Recommendation 2.a. so that we no longer tied system\ndeployment at additional sites to the implementation of our recommendations. We also\nrevised Recommendation 2.b. to allow flexibility in publishing the enhanced security\nguidance as long as the guidance is documented and easily accessible. We request that\nmanagement provide additional comments on the final report by July 9, 2001.\n\n\n\n                                             ii\n\x0cTable of Contents\n\nExecutive Summary                                                           i\n\nIntroduction\n     Background                                                             1\n     Objectives                                                             4\n\nFinding\n     Certification of the Defense Civilian Personnel Data System as\n       Compliant with the Clinger-Cohen Act                                5\n\nAppendixes\n     A. Audit Process\n         Scope and Methodology                                             21\n         Prior Coverage                                                    22\n     B. Defense Civilian Personnel Data System                             24\n     C. Timeline of Major Defense Civilian Personnel Data System Program\n         Documentation                                                     26\n     D. Summary of Management Comments on the Finding and\n         Audit Response                                                    27\n     E. Report Distribution                                                32\n\nManagement Comments\n     Assistant Secretary of Defense (Command, Control, Communications,\n       and Intelligence)                                                   35\n     Assistant Secretary of Defense (Force Management Policy)              63\n\x0cBackground\n    In the mid-1990s, Congress passed several pieces of reform legislation designed\n    to improve the management and performance of Federal agencies. The reform\n    legislation responded to the inability of Federal agencies to effectively manage\n    the acquisition of information technology (IT) systems that met the needs of\n    functional users. One major reform initiative was the Information Technology\n    Management Reform Act of 1996, which was subsequently retitled the\n    Clinger-Cohen Act of 1996.\n\n    Clinger-Cohen Act of 1996. The Clinger-Cohen Act of 1996 (CCA) requires\n    Federal agencies to focus on the results achieved through IT investments while\n    streamlining the Federal IT procurement process. Specifically, the CCA\n    required agencies to design and implement a structure and process for acquiring\n    and managing IT. One of the primary requirements of the CCA was the\n    establishment of the position of the Chief Information Officer for each Federal\n    agency.\n\n    To comply with this requirement, in June 1997, the Secretary of Defense\n    designated the Assistant Secretary of Defense (Command, Control,\n    Communications, and Intelligence) as the Chief Information Officer, DoD (the\n    CIO), and conferred the authority and responsibility for implementing all\n    aspects of the CCA. The CIO responsibilities include:\n\n           \xe2\x80\xa2   designing and implementing a process for maximizing the value and\n               assessing and managing the risks of DoD IT acquisitions (delegated\n               by the Secretary of Defense);\n\n           \xe2\x80\xa2   institutionalizing performance- and results-based IT management\n               (delegated by the Secretary of Defense); and\n\n           \xe2\x80\xa2   providing advice and other assistance to the Secretary of Defense and\n               other senior DoD managers to ensure that the acquisition of IT and\n               information resources was managed in accordance with the policies\n               of the CCA.\n\n    The Secretary of Defense also made the CIO responsible for the management\n    and oversight of all DoD IT systems. Specific responsibilities included\n    overseeing the performance of IT programs and measuring program progress\n    through system milestone reviews.\n\n    Congressional Concerns. In the House of Representatives Report 106-244,\n    \xe2\x80\x9cReport of the Committee on Appropriations,\xe2\x80\x9d July 20, 1999, the House\n    Committee on Appropriations expressed disappointment in the effectiveness of\n    management oversight of DoD IT system acquisition projects. Specifically, the\n    Committee stated that IT systems tended to overrun budgets, slip schedules,\n    evade data standardization and interoperability requirements, and shortchange\n    user needs. In an attempt to address some of those concerns, Congress\n    developed provisions to prohibit any DoD IT system from receiving approval in\n\n\n                                        1\n\x0can acquisition development milestone decision without written certification from\nthe CIO that the system has been developed in accordance with the CCA.\n\nStatutory Requirements. Additionally, Congress enacted section 8121(b),\n\xe2\x80\x9cCertifications as to Compliance with the Clinger-Cohen Act\xe2\x80\x9d of the FY 2000\nDoD Appropriations Act, which states:\n          (1) During the fiscal year 2000, a major automated information system\n          may not receive Milestone I approval, Milestone II approval, or\n          Milestone III approval within the Department of Defense until the\n          Chief Information Officer certifies, with respect to that milestone, that\n          the system is being developed in accordance with the Clinger-Cohen\n          Act of 1996 (40 U.S.C 1401 et seq.). The Chief Information Officer\n          may require additional certifications, as appropriate, with respect to\n          any such system.\n\n          (2) The Chief Information Officer shall provide the congressional\n          defense committees timely notification of certifications under\n          paragraph (1). Each such notification shall include, at a minimum, the\n          funding baseline and milestone schedule for each system covered by\n          such a certification and confirmation that the following steps have\n          been taken with respect to the system:\n\n              A)       Business process reengineering.\n\n              B)       An analysis of alternatives.\n\n              C)       An economic analysis that includes a calculation of the\n                       return on investment.\n\n              D)       Performance measures.\n\n              E)       An information assurance strategy consistent with DoD\n                       Command, Control, Communications, Computers,\n                       Intelligence, and Reconnaissance Architecture\n                       Framework.\n\nOn October 30, 2000, Congress enacted Public Law 106-398, the FY 2001 DoD\nAuthorization Act, section 811(c), \xe2\x80\x9cMilestone Approval For Major Automated\nInformation Systems,\xe2\x80\x9d which reinforced the requirements of section 8121(b) and\nclarified that the CIO shall determine whether the IT system was being\ndeveloped in accordance with the requirements of division E of the CCA.\n\nRelated DoD Policy and Requirements. The specific interest items iterated in\nsection 8121(b) were specifically recognized and required by DoD policy and\nguidance prior to passage of the CCA in 1996. DoD Directive 8000.1,\n\xe2\x80\x9cDefense Information Management (IM) Program,\xe2\x80\x9d October 27, 1992, provides\nhigh-level DoD policy regarding information management, including supporting\nIT systems. The Directive levies requirements and responsibilities for business\nprocess streamlining and improvements; preparing and validating functional\neconomic analyses, which includes analyses of alternatives and investment risk;\n\n                                         2\n\x0c           developing functional process performance measures and assessments; and\n           ensuring appropriate information security. Additionally, DoD Directive 8120.1,\n           \xe2\x80\x9cLife-Cycle Management (LCM) of Automated Information Systems (AISs),\xe2\x80\x9d\n           January 14, 1993,1 had stated that it was DoD policy to control IT system\n           expenditures to ensure that derived benefits satisfy mission needs to the greatest\n           extent possible and in the most cost-effective manner. Accordingly,\n           Directive 8120.1 emphasized the importance of those specific section 8121(b)\n           interest items that are critical in the \xe2\x80\x9cearly-on\xe2\x80\x9d IT development stages,\n           especially those related to improving business processes and examining\n           alternatives and projecting related costs and benefits. DoD acquisition guidance\n           also contained requirements related to basic principles of sound system\n           acquisition management.\n\n           Acquisition Program Milestones. A milestone is a decision point that\n           separates major phases of an acquisition program. Until October 2000, the\n           major DoD acquisition phases included Concept Exploration (Phase 0), Program\n           Definition and Risk Reduction (Phase I), Engineering and Manufacturing\n           Development (Phase II), and Production, Fielding/Deployment, and Operational\n           Support (Phase III). DoD acquisition policy requires a milestone decision\n           before an acquisition program may progress to the next phase of development.\n           The CIO, as the Milestone Decision Authority (MDA) for major automated\n           information systems, approved milestone decisions for high-cost or special\n           interest IT acquisition programs. In October 2000, DoD substantially revised its\n           acquisition guidance and requirements. Those revisions included a reduced\n           number of major milestone phases and associated decision points. DoD also\n           revised acquisition regulations to more clearly and effectively implement various\n           aspects of IT reform legislation, including those related to the CCA.\n\n           Key Acquisition Documents. As part of the acquisition program milestone\n           review, key acquisition documents, such as an Acquisition Program Baseline\n           and Test and Evaluation Master Plan, are fundamental to the effective\n           acquisition management and oversight of IT systems. Accordingly, senior\n           representatives from the Office of the Secretary of Defense rely on key\n           acquisition documents to help implement the CCA. Although DoD\n           de-emphasized some mandatory documentation requirements, DoD provided\n           clear direction on statutory and regulatory requirements for appropriate program\n           documentation for milestone reviews.\n\n           Defense Civilian Personnel Data System. On May 10, 2000, the Defense\n           Civilian Personnel Data System (DCPDS) was certified as one of the first\n           systems developed in accordance with the CCA. The primary goal of the\n           DCPDS Program was to provide all DoD Components with a single,\n           standardized, automated civilian personnel management system that would\n           provide the software application tools and the requisite hardware to support\n           regionalization of DoD civilian personnel mission requirements and operations\n           and a reduced workforce. Initially, DoD planned to field the modern DCPDS\n           and complete regionalization by December 1998. By June 1999, DoD\n\n1\n    DoD Directive 5000.1, \xe2\x80\x9cDefense Acquisition,\xe2\x80\x9d March 15, 1996, cancelled DoD Directive 8120.1 and\n    incorporated the policies and requirements on life-cycle management for automated information systems.\n\n\n\n                                                     3\n\x0c     completed regionalization of all 22 regional support centers. However, initial\n     deployment of the DCPDS did not start until October 1999, with complete\n     deployment scheduled for September 2001. The Civilian Personnel\n     Management Service (CPMS) was the functional proponent for the DCPDS\n     Program and IT system acquisition program management was performed by the\n     Central Design Activity at the Air Force Personnel Center. Upon Milestone III\n     approval, the Central Design Activity ceased to provide acquisition program\n     management services, and CPMS assumed overall program acquisition and\n     management responsibilities. Appendix B provides a detailed description of the\n     DCPDS Program.\n\nObjectives\n     The audit objective was to determine whether DoD oversight processes and\n     procedures provided the Chief Information Officer, DoD, with a sufficient basis\n     to certify that the Defense Civilian Personnel Data System was being managed\n     in accordance with the Clinger-Cohen Act. This report is the first of a series.\n     In subsequent reports, we will evaluate the basis for certification of other\n     systems, assess DoD progress in implementing the Clinger-Cohen Act, and\n     review related management controls. A description of the audit scope and\n     methodology and prior coverage related to the DCPDS Program is shown in\n     Appendix A.\n\n\n\n\n                                        4\n\x0c           Certification of the Defense Civilian\n           Personnel Data System As Compliant\n           with the Clinger-Cohen Act\n           The CIO did not have a sufficient basis to certify, without qualification,\n           that DCPDS had been developed in accordance with the Clinger-Cohen\n           Act. The CIO lacked sufficient basis because:\n\n                  \xe2\x80\xa2   previously identified CCA compliance issues had not been\n                      fully resolved, and relevant data were not adequately\n                      analyzed;\n\n                  \xe2\x80\xa2   key acquisition documents either were not prepared or were\n                      not prepared and appropriately approved in a timely manner,\n                      and were not regularly updated;\n\n                  \xe2\x80\xa2   milestone exit criteria were not well defined or sufficiently\n                      tracked and enforced;\n\n                  \xe2\x80\xa2   CIO management controls for overseeing the DCPDS\n                      development did not provide active oversight participation and\n                      involvement by senior DoD advisors at key decision points or\n                      adequate and ongoing direction and guidance to the DCPDS\n                      Program; and\n\n                  \xe2\x80\xa2   the CIO did not establish specific criteria for or define a\n                      common approach to evaluating the basis for CCA\n                      certification.\n\n           As a result, in the case of the DCPDS Program, the certification\n           requirement was not an effective means of ensuring compliance with the\n           CCA.\n\nDCPDS Certification Process\n    CPMS officials had to use draft procedures to prepare the DCPDS Compliance\n    Report because the CIO did not complete a standard section 8121(b) certification\n    process until after he had certified the DCPDS Program as CCA compliant.\n    The DCPDS was certified to Congress on May 10, 2000; however, the CIO did\n    not complete the standard section 8121(b) certification process until July 13,\n    2000. Although the use of draft procedures during the DCPDS certification\n    process did not materially affect the validity of the certification, official\n    guidance establishes management\xe2\x80\x99s position, intent, and applicability of the\n    policy. Both the draft and final versions of section 8121(b) certification\n    procedures required DoD Component heads to prepare a compliance report\n    prior to each milestone approval.\n\n\n                                        5\n\x0c     The Office of the Director, CPMS, prepared the compliance report for the\n     DCPDS Program, which summarized the requirements of section 8121(b),\n     provided background information on the DCPDS Program, and outlined the\n     actions taken by CPMS on the five section 8121(b) interest items: business\n     process reengineering, analysis of alternatives, economic analysis, performance\n     measures, and an information assurance strategy. A review team represented by\n     various staff offices within the Office of the Secretary of Defense then prepared\n     the congressional certification report for the signature of the CIO. The\n     compliance report and the certification report essentially contained the same\n     information. On March 17, 2000, the review team briefed the Deputy CIO on\n     the draft DCPDS certification report. The briefing included confirmation of\n     steps taken to address each of the five specific congressional interest items.\n     During its briefing to the Deputy CIO, the review team presented a qualified\n     confirmation of steps taken regarding business process reengineering, analysis\n     of alternatives, and performance measures because the General Accounting\n     Office (GAO) previously identified problems in those areas.\n\n     Because CPMS initiated actions to address GAO concerns, the review team\n     recommended that the CIO certify DCPDS as CCA compliant. The Deputy CIO\n     tentatively approved certification during the briefing, thus authorizing the\n     preparation of the official certification report and congressional notification\n     letters for the CIO to sign for Congress. The certification report and\n     notification letters were coordinated with and endorsed by the Office of the\n     Under Secretary of Defense (Comptroller); the Office of the Director, Program\n     Analysis and Evaluation; the Office of the Assistant Secretary of Defense for\n     Legislative Affairs; the Office of the Deputy Under Secretary of Defense for\n     Program Integration; the Office of General Counsel; the Office of the Deputy\n     Assistant Secretary of Defense for Civilian Personnel Policy; and the Office of\n     the Assistant Secretary of the Air Force for Acquisition.\n\nResolution of Previously Identified CCA Compliance Issues\n     In its report GAO/AIMD-99-20, \xe2\x80\x9cDefense IRM: Alternatives Should Be\n     Considered in Developing the New Civilian Personnel System,\xe2\x80\x9d January 1999,\n     the GAO identified DCPDS development problems related to each of the five\n     interest items listed in section 8121(b). The GAO concluded that the DCPDS\n     development provided DoD with little assurance that its investment was optimal\n     because of weaknesses identified in business process reengineering, analysis of\n     alternatives and economic analyses, and performance measures. Additionally,\n     DCPDS security risks had not been adequately addressed. GAO\n     recommendations included a reevaluation of alternatives, with the costs and\n     benefits of each alternative determined through economic analyses, and the\n     standardization of performance measurements. GAO also recommended actions\n     to adequately secure and protect DCPDS sensitive data.\n\n     In effect, the results of the GAO review should have informed DoD that DCPDS\n     development had not been in accordance with the CCA. Because the report to\n\n\n\n                                         6\n\x0cCongress did not mention the results of the GAO review, we included steps in\nour audit to validate GAO conclusions and to evaluate DoD actions to\nimplement related recommendations.\n\nDoD Investment in DCPDS. To determine whether the CIO had a firm basis\nfor certifying that DCPDS was developed in accordance with the IT system\ninvestment principles of CCA, we evaluated the actions taken on related\nsection 8121(b) interest items: business process reengineering, analysis of\nalternatives, economic analysis, and performance measures.\n\n        Business Process Reengineering. DoD efforts to reengineer personnel\nmanagement processes prior to DCPDS investment met the general intent of\nCCA. Business process reengineering is a systematic and disciplined\nimprovement approach that critically examines, rethinks, and redesigns\nmission-delivery processes to improve performance in areas that are important\nto customers and stakeholders. The redesign of business processes has to occur\nprior to system development to maximize the value of IT system investment.\n\nBusiness process reengineering is normally accomplished through three basic\nsteps. First, an \xe2\x80\x9cas-is\xe2\x80\x9d model is produced, which provides detailed descriptions\nof existing functional processes. Capitalizing on current IT technology and\ncapabilities, a \xe2\x80\x9cto-be\xe2\x80\x9d functional process is then designed, which details the\nreengineered processes. Once the redesigned business processes are\ndetermined, an IT system can be designed and developed to best implement the\nreengineered business processes.\n\nTo re-engineer civilian personnel business processes, DoD initiated the\nmodernization of the DCPDS to support regionalization of civilian personnel\noperations, which included workforce reduction. DoD began regionalization\nefforts in 1989 and completed those efforts by June 1999. To enable DoD\nregionalization efforts, DoD developed the modern DCPDS, with plans to\ncomplete the modernization effort by December 1998. However, DCPDS\ndeployment to various test sites did not begin until October 1999 with an\nestimated completion date of September 2001, almost 2 years after\nregionalization was completed. Consequently, DoD\xe2\x80\x99s reengineering of civilian\npersonnel management business processes did not yield all the expected benefits\nat that time because the enabling IT system, DCPDS, had not met original\ntimeframes.\n\nDoD completed the redesign of personnel business processes before the\ncompletion of the enabling IT system development. However, a fully effective\nreengineered business process required timely implementation and integration of\nthe IT system with the modified processes.\n\n        Analysis of Alternatives and Economic Analysis. CPMS officials\ncould not demonstrate that they selected the DCPDS Program IT system through\na process of rigorous analysis of alternatives and economic analysis. An\nanalysis of alternatives and an economic analysis are directly related. Effective\nuse of an analysis of alternatives, in conjunction with an economic analysis,\nprovides a viable basis for evaluating potential solutions and selecting the most\ncost-beneficial alternative. The analysis of alternatives generally starts with a\n\n\n                                    7\n\x0cbroad base of possible solutions to meet a mission need. Once the field of\npossible solutions is narrowed to a few realistic alternatives, then the principles\nof economic analysis and its tools of cost-benefit analysis and return-on-\ninvestment are applied to identify the most promising solution.\n\nDCPDS managers did not meet the requirements of DoD Instruction 7041.3,\n\xe2\x80\x9cEconomic Analysis for Decision Making.\xe2\x80\x9d DoD Instruction 7041.3 states that\neach feasible alternative for meeting an objective must be considered and its life-\ncycle costs and benefits evaluated. The Instruction also states that alternatives\ndismissed as infeasible must be discussed, but need not be formally compared,\nin the economic analysis. Additionally, the Instruction requires that the\neconomic analysis provide a detailed cost/benefit analysis for all alternatives\ndeemed feasible through the analysis of alternatives process. The emphasis on\ndocumentation is appropriate because all significant DoD investments undergo\nsome form of management review. Oversight cannot be effective without a\nclear understanding of why a proposed investment is the best available\nalternative.\n\nIn 1995, CPMS officials decided to base the acquisition of the DCPDS Program\nupon commercially available software and selected an Oracle product.\nHowever, there was little evidence to demonstrate that their selection process\nemployed a rigorous analysis of alternatives or economic analyses detailing the\nexpected costs, benefits, and returns on investments. CPMS officials evaluated\nthree commercial products to determine how well each product would meet DoD\npersonnel management needs and the initial costs for each product. The\nselection process did not clearly demonstrate that the Oracle product represented\nthe best DCPDS investment alternative.\n\nIn its January 1999 report, GAO recommended that DoD analyze all\ncommercially available alternatives and the related costs and benefits of each.\nDCPDS Program officials agreed, but did not commit to reevaluating the Oracle\nselection. CPMS officials told us that Oracle was the only software that could\nperform DCPDS requirements and that further economic analysis made no\nsense, given the level of investment in DCPDS at the time of the GAO report.\nAdditionally, DCPDS development was almost complete and further analysis\nwould have unnecessarily delayed implementation of DCPDS. In July 1999,\nGAO representatives agreed with CPMS officials that it was too late in the\ndevelopment process to reconsider Oracle and that the CPMS should turn its\nfocus to the future.\n\nBecause the CIO provided DCPDS with a conditional Milestone III approval on\nMay 19, 2000, we agree that further analysis of alternatives and economic\nanalyses would provide little benefit at such a late stage of development.\nHowever, CPMS officials should perform a well documented analysis of\nalternatives and an economic analysis for any significant future product\nimprovements or upgrades.\n\nPerformance Measures. The \xe2\x80\x9cDoD Guide for Managing Information\nTechnology (IT) as an Investment and Measuring Performance,\xe2\x80\x9d February 10,\n1997, defined IT performance measurement as:\n\n                                     8\n\x0c          The assessment of effectiveness and efficiency of IT in support of the\n          achievement of an organization\xe2\x80\x99s missions, goals, and quantitative\n          objectives through the application of outcome-based measurable, and\n          quantifiable criteria, compared against an established baseline, to\n          activities, operations, and processes.\n\n          Evaluation of a program\xe2\x80\x99s effectiveness and efficiency begins with the\n          establishment of a performance measurement baseline. Performance\n          measures are developed based on expected outcomes, assessed against\n          the baseline, and continually monitored to determine whether they are\n          being achieved. Individual measures are defined and then quantified\n          with targets and thresholds to form the performance measurement\n          baseline.\n\nIn its January 1999 report, GAO emphasized that common definitions for\nperformance measures were needed to uniformly and consistently measure\nmission performance gains of all DoD Components. As of October 2000,\nCPMS officials had not obtained agreement between the Military Departments\non definitions for common performance measures. Further, because the\nperformance baselines established by the Military Departments were premised\non their unique definitions, DoD did not have a common base from which to\nmeasure DCPDS performance gains. Because CPMS officials did not insist that\neach DoD Component establish performance measures based on common\ndefinitions, DoD was not able to meaningfully assess the impact of DCPDS on\nits DoD-wide civilian personnel management mission. Additionally, without\nstandard performance measures and related baselines, DoD was not able to\nuniformly assess and quantify performance gains attributable to DCPDS by all\nComponents.\n\nThe CIO description provided to Congress of steps relating to DCPDS\nperformance measures was not complete; however, DoD could still establish and\nimplement uniform DCPDS performance measures. Specifically, the CIO, in\ncoordination with CPMS, should make sure that uniform DCPDS performance\nmeasures are implemented by all DoD Components. Such action would provide\nthe CIO with a basis to comply with the specific CCA requirement to measure\nhow well DCPDS supported the users. Uniform performance measures would\nalso better enable the CIO to meet the CCA requirement to annually report DoD\nprogress in achieving DCPDS goals to Congress.\n\nInformation Assurance. CPMS officials took substantial action to improve the\nDCPDS information assurance posture in response to prior reports and reviews;\nhowever, we identified further opportunities for CPMS to improve the\ninformation assurance posture of DCPDS assets. Information assurance, often\nreferred to as information security, is the process used to protect and defend\n\n\n\n\n                                       9\n\x0c           information and information systems by ensuring their confidentiality, integrity,\n           availability, and non-repudiation2.\n\n                   Action Taken on Prior Audits and Reviews. Office of Inspector\n           General, DoD, Report No. 98-082, \xe2\x80\x9cInformation Assurance of the Defense\n           Civilian Personnel Data System,\xe2\x80\x9d February 23, 1998, identified high DCPDS\n           risks concerning unauthorized system access, inappropriate alteration and\n           destruction of personnel data, and denial of service to users. Recommendations\n           included the implementation of information assurance measures and procedures\n           to protect civilian personnel data. In its January 1999 report, GAO identified\n           DCPDS information assurance weaknesses regarding physical security of related\n           hardware and personnel data and the use of non-secure data networks, including\n           the Internet. GAO recommended an assessment of DCPDS security risks and\n           needs, encryption to protect DCPDS sensitive personnel data, and security\n           awareness at all DCPDS sites.\n\n           CPMS officials initiated and implemented aggressive actions to improve the\n           information assurance of DCPDS and to satisfy related Inspector General and\n           GAO recommendations. Those actions included the encryption of data\n           exchanged between the regional centers and associated customer support units,\n           the performance of DCPDS risk assessments and DCPDS security test and\n           evaluations, the designation of information system security officers at each\n           DCPDS site, and the formal accreditation of DCPDS as being appropriately\n           secured.\n\n                  Assessment of DCPDS Information Assurance. Overall, DoD\n           adequately and fairly described the DCPDS information assurance posture in the\n           congressional notification. We commend CPMS actions that greatly\n           strengthened the information assurance of DCPDS; however, we identified\n           additional areas of concern and opportunities for CPMS management to further\n           strengthen DCPDS information assurance.\n\n           CPMS lacked a documented risk assessment for unencrypted data exchanged\n           among the centralized corporate database, the Regional Service Centers, and\n           other non-DCPDS external systems. As of November 2000, data encryption\n           between some of these links did not exist. Accordingly, the Director, CPMS,\n           should perform a risk assessment of the unencrypted interfaces to determine\n           whether the transmittal of passwords, user identifications, and DCPDS data over\n           the unsecured Internet could be better protected and should implement, if\n           deemed appropriate, enhanced security controls.\n\n           We also identified a need for enhancements to DCPDS end user security policy\n           and guidance. First, CPMS placed the responsibility for establishing strong\n           passwords on the user. Secondly, DCPDS did not automatically disconnect\n           users after a predetermined period of inactivity. Lastly, DCPDS did not\n           consistently mark output products that contained sensitive data. Accordingly,\n           DCPDS managers should develop procedures to guide and instruct DCPDS\n\n2\n    Non-repudiation refers to the positive identification of who accessed a system and what transactions\n    were performed.\n\n                                                      10\n\x0c           users in establishing and maintaining effective passwords, the use of keyboard\n           locking mechanisms, and ensuring all sensitive documents are appropriately\n           marked. To be of maximum benefit, DCPDS users must be made aware of the\n           need for diligent security procedures and associated security guidance should be\n           quickly and easily accessible by DCPDS users.\n\nKey Documentation for Milestone Reviews\n           The House Appropriations Committee\xe2\x80\x99s Report on the DoD Appropriations Bill\n           for FY 2000 provided insight on the congressional concerns that resulted in\n           section 8121(b) certification requirements. The Committee was disappointed\n           with DoD oversight of its information technology systems, including acquisition\n           milestone reviews. Specifically, the report stated, \xe2\x80\x9cThose systems that are\n           reviewed are often approved despite lacking key documentation.\xe2\x80\x9d The\n           Milestone Decision Authority did not ensure that key documentation for DCPDS\n           was prepared and appropriately coordinated and approved for consideration\n           during milestone decisions.\n\n           DoD Acquisition Documentation Requirements. DoD Regulation 5000.2-R,\n           \xe2\x80\x9cMandatory Procedures for Major Defense Acquisition Programs (MDAPs) and\n           Major Automated Information System (MAISs) Acquisition Programs,\xe2\x80\x9d\n           March 15, 1996,3 allows the MDA to tailor the documentation requirements for\n           each acquisition program. Specifically, the Regulation states that:\n                       Any singular MDAP or MAIS need not follow the entire process\n                       described below. However, cognizant of this model, the Program\n                       Manager (PM) and the Milestone Decision Authority (MDA) shall\n                       structure the MDAP or MAIS to ensure a logical progression through\n                       a series of phases designed to reduce risk, ensure affordability, and\n                       provide adequate information for decision-making that will provide the\n                       needed capability to the warfighter in the shortest practical time.\n\n           Although the MDA may tailor the documentation required, the MDA tentatively\n           approved DCPDS milestones without ensuring that documentation key to\n           making sound milestone decisions had been prepared or had not been\n           appropriately coordinated and approved. Further, actual milestone decisions\n           were not clearly delineated or adequately documented.\n\n           Milestones I and II Documentation. On May 20, 1996, the MDA provided a\n           provisional Milestone I approval and implied a Milestone II approval. The\n           MDA approved Milestone I pending the receipt, within 60 days, of an approved\n           Operational Requirements Document, Acquisition Program Baseline, and Test\n           and Evaluation Master Plan. The documents required by the MDA, which\n           provide critical insight to key aspects of program strategy and direction, were\n           not submitted for several months. One reason for delay was that DCPDS\n\n3\n    Reissued as Interim Regulation, DoD 5000.2-R, \xe2\x80\x9cMandatory Procedures for Major Defense Acquisition\n    Programs (MDAPs) and Major Automated Information Systems (MAIS) Acquisition Programs,\xe2\x80\x9d\n    January 1, 2001\n\n\n\n                                                    11\n\x0c     managers did not fully recognize the time needed to extensively coordinate key\n     documents and to obtain the requisite approvals from other than functional\n     officials. For example, ultimate approval of the DCPDS Master Test and\n     Evaluation Plan had to be obtained from DoD developmental and operational\n     testing organizations. The MDA indicated a Milestone II approval by\n     authorizing the DCPDS Program to continue the design analysis and\n     development of application software, activities normally undertaken in Phase II\n     of an acquisition. However, the required documentation was not provided\n     during the specified timeframe. Therefore, it is unclear whether the original\n     milestone decision was nullified. No final Milestone I or II decision by the\n     MDA was documented.\n\n     Milestone III Documentation. On May 19, 2000, the MDA provided a\n     conditional Milestone III approval for the DCPDS Program although several key\n     documents had not been developed. For example, after 4 years, CPMS still had\n     not prepared a formal Analysis of Alternatives or standard DoD performance\n     measures for DCPDS, even though GAO had previously identified weaknesses\n     in those areas. Additionally, the MDA did not ensure that DCPDS Program\n     officials developed a DCPDS implementation risk analysis and mediation plan\n     even though DCPDS implementation was contracted to an outside source.\n     Further, although DCPDS did not meet all Operational Requirements Document\n     requirements and key performance parameters during the Qualification\n     Operational Test and Evaluation, DCPDS managers did not document an\n     approach for resolving the testing issues for MDA consideration during the\n     milestone review.\n\nMilestone Exit Criteria\n     DoD Regulation 5000.2-R states that the Program Manager shall propose and\n     the MDA shall approve exit criteria appropriate to the next acquisition phase at\n     each milestone review. Exit criteria should demonstrate a level of performance\n     outcome, accomplishment of a process at a particular level of efficiency,\n     accomplishment of an event, or some other indication that the program is\n     progressing satisfactorily. The Regulation also requires the acquisition decision\n     memorandum (ADM) to document exit criteria requirements.\n\n     The ADM issued by the MDA for the May 1996 and May 2000 milestone\n     decision approvals did not contain sufficient exit criteria to guide the DCPDS\n     Program through the next acquisition phase. Rather than provide requirements\n     for the next acquisition phase, the ADM required specific steps for program\n     officials to perform that should have been completed during the previous\n     acquisition phase. Additionally, the MDA did not ensure sufficient followup to\n     enforce the provisions set forth in the ADM.\n\n     Milestone I Exit Criteria. The May 20, 1996, ADM provided Milestone I\n     approval pending the submission by July 1996 of an approved Operational\n     Requirements Document, an Acquisition Program Baseline, and a Test and\n     Evaluation Master Plan. DCPDS Program officials should have submitted fully\n     coordinated and approved key documents for consideration before the\n\n                                        12\n\x0cMilestone I decision, but did not submit them to the CIO in final form until 4,\n21, and 31 months, respectively, after the Milestone I decision. The CIO also\ndid not ensure that the documents were prepared, approved, and submitted in a\ntimely manner as required by the ADM. Appendix C provides a timeline of\nDCPDS program events including approval dates for milestone decisions and\nprogram documentation.\n\nThe ADM also stated specific requirements that DCPDS Program officials\nneeded to meet before exiting Phase II, such as the development of a risk\nmanagement plan. DCPDS Program officials developed and approved a risk-\nmanagement plan in February 1997, but did not update it until DCPDS Program\nofficials prepared a draft pre-Milestone III Technical Risk Management Plan in\nJanuary 2000. However, the Director, CPMS, did not approve the draft plan.\n\nMilestone III Exit Criteria. The May 19, 2000, ADM authorized the DCPDS\nProgram to proceed to the deployment phase subject to completing several\nactions before fielding. The ADM required the Director, CPMS, to provide\nwithin 30 days, a Memorandum of Understanding of the mission-essential\nfunctions necessary to field the system, an approved deployment schedule, and\nan acquisition program structure. The ADM also required the Director, CPMS,\nto fully develop the mission-essential functions and the Air Force Operational\nTest and Evaluation Center to perform the appropriate operational testing before\ndeployment. The Director, CPMS, provided the three documents to the CIO\nwithin 30 days, but the CIO did not question the adequacy of the CPMS\ndocumentation and did not ensure that the deficiencies identified during testing\nwere addressed.\n\n       Mission-Essential Functions. The Qualification Operational Test and\nEvaluation Test Report prepared by the Air Force Operational Test and\nEvaluation Center concluded that DCPDS was effective and suitable and\nrecommended a Milestone III approval. However, DCPDS did not meet all of\nthe Key Performance Parameter requirements of the Operational Requirements\nDocument. The Test Report recommended that the capabilities dealing with\nmass actions be operational before the DCPDS was fielded. However, the\nMay 19, 2000, ADM did not specifically request that CPMS officials address\nthe Test Report recommendations. Rather than determining whether those\nrequirements should be waived, the Memorandum of Understanding provided by\nthe Director, CPMS, and the functional Components focused on pre-planned\nupgrades. As a result, the Air Force Operational Test and Evaluation Center\nTest Report recommendation on mass actions was not specifically addressed and\nit remained unclear whether the requirement would be resolved before the\nDCPDS was fielded.\n\n       Deployment Schedule. The CPMS provided a deployment schedule on\nJune 19, 2000, which showed that fielding was to begin on August 4, 2000.\nThe schedule was unrealistic because additional testing had not been scheduled.\nThe CPMS began limited deployment to expand the modern DCPDS test base\non October 13, 2000. As of May 2001, CPMS had deployed five full-scale core\nsystems and expanded field-testing at six test sites. CPMS plans to complete\nDCPDS deployment by September 2001.\n\n\n\n                                   13\n\x0c             CPMS Acquisition Program Structure. In September 1999, the CIO\n     authorized the transition of DCPDS implementation, sustainment, operations\n     and maintenance from the program management organization to a commercial\n     vendor. In May 2000, the transition occurred and the DCPDS program office\n     was dissolved. With the transition and subsequent loss of acquisition program\n     oversight, CPMS officials were required to develop an acquisition program\n     strategy for assuming overall DCPDS program management responsibilities. In\n     October 1999, CPMS officials established a separate Vendor Management\n     Office to provide management oversight and support to DCPDS procurement,\n     contract, and certification activities.\n\n     Because the assumption of acquisition program management responsibilities by\n     the functional proponent was highly unusual, we reviewed the qualifications of\n     the Vendor Management Office staff to determine whether staff qualifications\n     were appropriate for the task. Although staff qualifications appeared adequate,\n     the CIO should continue to periodically oversee the CPMS throughout the\n     fielding and operational support of DCPDS.\n\nEffectiveness of CIO Oversight\n     We examined the structure and procedures for CIO acquisition oversight of the\n     DCPDS Program. We also evaluated the data relied upon by the CIO in making\n     oversight decisions. The DCPDS oversight controls were not fully effective\n     because the senior advisory team to the CIO was not fully involved. We also\n     identified control weaknesses associated with the ongoing oversight process of\n     the DCPDS Program.\n\n     Information Technology Overarching Integrated Product Team. The\n     Information Technology Overarching Integrated Product Team (Overarching\n     IPT) was minimally involved in the oversight of the DCPDS Program. The\n     primary role of the Overarching IPT was to provide advice to the CIO during\n     milestone reviews. The Overarching IPT, known as the Major Automated\n     Information Systems Review Council until July 1998, was composed of senior\n     managers representing the primary staff assistants with an interest in the subject\n     system. For DCPDS, the Overarching IPT included senior managers from the\n     offices of the Under Secretary of Defense (Acquisition, Technology, and\n     Logistics); the Under Secretary of Defense (Comptroller); the Director,\n     Operational Test and Evaluation; the Director, Program Analysis and Evaluation;\n     and user representatives. Although the Overarching IPT reviewed and concurred\n     with draft acquisition decision memoranda before formal DCPDS milestone\n     decisions, it did not meet during milestone reviews to discuss the progress and\n     status of the DCPDS Program and did not help identify potential programmatic\n     problems. Instead, the Overarching IPT relied on a lower-level, Acquisition\n     Oversight IPT to provide critical DCPDS oversight review and direction.\n\n     Acquisition Oversight IPT. The Acquisition Oversight IPT continuously\n     monitored DCPDS, but did not provide effective oversight to ensure that\n     DCPDS complied with DoD acquisition requirements or milestone decision\n     authority direction. From July 1997 through June 2000, the Acquisition\n\n                                        14\n\x0c    Oversight IPT met 18 times and monitored aspects of DCPDS such as program\n    and life-cycle costs, information assurance, testing, Year 2000 planning,\n    training, and outsourcing. The Acquisition Oversight IPT also provided\n    program progress updates, established and tracked action items, and tracked\n    audits and reviews. However, the Acquisition Oversight IPT did not effectively\n    question the adequacy of program documentation or the actions of program\n    officials. For example, the Acquisition Oversight IPT did not ensure that\n    DCPDS Program officials prepared key documentation in accordance with DoD\n    acquisition policies prior to milestone decision reviews and did not ensure that\n    the provisions contained in related acquisition decision memoranda were met in\n    a timely and efficient manner. Additionally, while the Acquisition Oversight\n    IPT tracked the status of DCPDS audits and reviews, it did not ensure that\n    DCPDS Program officials took corrective actions to address deficiencies\n    identified by the Inspector General, DoD, and GAO.\n\n    CIO Verification of Information. Overall, the CIO could improve oversight\n    responsibilities through the periodic verification of information provided. CIO\n    staff members informed us that oversight verification was seldom performed.\n    Therefore, we concluded that prudent verification efforts could substantially\n    improve the effectiveness of oversight responsibilities. For example, during the\n    DCPDS certification briefing to the Deputy CIO, the review team provided\n    qualified confirmations relating to steps taken on the congressional interest\n    items. Nevertheless, the Deputy CIO provided Congress with an unqualified\n    certification.\n\nDoD Criteria and Approach for Determining Compliance\n    The CIO certified that the DCPDS Program was being developed in accordance\n    with the CCA, but the basis for the certification was unclear because the CIO\n    had not established common criteria or a uniform approach to determine the\n    adequacy of compliance. Further, the CIO did not describe the basis used for\n    certification in the congressional notification.\n\n    Bases Cited for DCPDS Certification. Because neither the compliance report\n    nor the certification report specified a basis for certification, we asked staff\n    members in the Office of the Secretary of Defense, who primarily developed the\n    section 8121(b) certification process, to clarify the basis for system certification.\n    Their answers indicated confusion as to the basis for certification. One CIO\n    staff member stated that the basis for certification was premised on the CIO\n    oversight process for major automated information systems; however, a member\n    of Program Analysis and Evaluation staff stated that certification was based on\n    an assessment of the steps taken relating to the five items of interest specified in\n    section 8121(b). We evaluated both processes and determined that they both\n    included notable weaknesses and did not provide a suitable basis for certifying\n    to Congress that the DCPDS Program was managed and developed in\n    accordance with the CCA.\n\n    DoD Guidance for Certification. On July 13, 2000, the CIO issued a\n    memorandum, \xe2\x80\x9cDepartment of Defense (DoD) Information Technology (IT)\n\n\n                                         15\n\x0c    Systems Certification Requirements,\xe2\x80\x9d on the certification process for major\n    automated information systems. Overall, the procedures were similar to the\n    DCPDS draft procedures. Specifically, the guidance requires that Component\n    heads prepare a compliance report, confirm that steps were taken to address the\n    congressional interest items, and provide descriptions of the steps taken.\n    Further, the July 13, 2000, memorandum requires the Component head to\n    concur that the subject system was developed in accordance with the CCA. The\n    memorandum also included a sample template for compliance reporting. The\n    template indicated that compliance could be determined by assessing the steps\n    taken for the five specific interest items; however, it did not provide criteria for\n    assessing CCA compliance and did not state any specific approach for\n    determining the adequacy of compliance. Although section 8121(b) was\n    applicable only during FY 2000, Congress included section 8121(b) certification\n    requirements in section 811(c) of the Defense Authorizations Act of FY 2001.\n    Accordingly, the CIO needs to develop specific criteria or specify a common\n    approach for all DoD Components to achieve uniform and consistent compliance\n    assessments.\n\nConclusion\n    The CIO certified in May 2000 that DCPDS was being developed in accordance\n    with the CCA. However, the January 1999 GAO report clearly indicated that\n    DCPDS development was not compliant with the CCA. The CIO did not ensure\n    that CPMS officials corrected the deficiencies reported by GAO and did not\n    verify that the five specific interest items cited in section 8121(b) were\n    completed in accordance with DoD acquisition policy. For example, a formal\n    analysis of alternatives was never prepared and an in-depth, cost/benefit analysis\n    was not prepared for any other alternative except the product selected for the\n    DCPDS Program. Certain aspects of the CCA, such as an analysis of\n    alternatives and an economic analysis, should have been thoroughly performed\n    early in the DCPDS development process. Milestone III was too late in the\n    DCPDS development process to obtain any of the benefits that an analysis of\n    alternatives or an economic analysis could have provided. Although DCPDS\n    was past the stage where reengineering business processes and an analysis of\n    alternatives could be useful, the CIO needs to ensure that acquisition programs\n    that are in the early stages of the acquisition process adhere to the principles and\n    intent of the CCA.\n\n    We realize that implementation of both the CCA and section 8121(b) (now\n    section 811(c)) is still being refined. The lessons learned from DCPDS and\n    other early system certifications will be useful in improving the effectiveness of\n    this process.\n\nManagement Comments on the Finding and Audit Response\n    Management Comments. The Acting Assistant Secretary of Defense (Force\n    Management Policy) and the Director, Defense Civilian Personnel Management\n    Service, jointly provided comments that strongly opposed our description of\n\n                                         16\n\x0cissues previously identified by GAO as CCA compliance issues because the\nearlier program decisions, upon which the issues were based, were made prior\nto the enactment of the CCA. Additionally, the GAO report did not assess DoD\ncompliance with CCA; rather, it evaluated whether DoD had applied the\nprinciples of CCA. As to previously identified CCA compliance issues not\nbeing fully resolved, the Acting Deputy Assistant Secretary of Defense (Deputy\nCIO) also indicated that the report did not appropriately recognize that the CCA\nwas not in existence when relevant decisions were made.\n\nAudit Response. The Assistant Secretary of Defense (Force Management\nPolicy) made very similar comments to a draft of the GAO report published in\nJanuary 1999. In its final report, GAO rebutted that, although initial DCPDS\ndecisions predated the CCA, the CCA had been in effect since 1996 and should\nhave been applied to all decisions made after its enactment. The GAO also\npointed out that OMB Circulars A-11 and A-130, which contain basic principles\nof sound system acquisition management, existed when initial DCPDS decisions\nwere being made. Additionally, GAO cited several other acts that were in effect\nat the time of initial DCPDS decisions, which contained requirements similar to\nthose outlined in the CCA. Those acts included the Government Performance\nand Results Act of 1993, the Federal Acquisition and Streamlining Act of 1994,\nand the Paperwork Reduction Act of 1995.\n\nThe basic concepts that were mandated by the CCA for the management of\ninformation systems were not new to DoD. As previously discussed on pages 2\nand 3, similar DoD policy and requirements existed prior to the enactment of\nthe CCA and were equally applicable to all program decisions made before and\nafter the enactment of CCA in 1996. For example, DoD Directive 8000.1,\n\xe2\x80\x9cDefense Information Management (IM) Program,\xe2\x80\x9d October 27, 1992,\nestablished requirements and responsibilities related to each of the\nsection 8121(b) interest items: business process reengineering, analysis of\nalternatives, economic analysis, performance measures, and information\nassurance.\n\nThe Acting Assistant Secretary of Defense (Force Management Policy) jointly\nwith the Director, Civilian Personnel Management Service, and the Acting\nDeputy Assistant Secretary of Defense (Deputy CIO) disagreed with many other\naspects of the draft report finding and discussion and provided extensive\ncomments. A summary of additional management comments and the audit\nresponse is in Appendix D. The full text of management comments is in the\nManagement Comments section of this report.\n\n\n\n\n                                   17\n\x0cRecommendations, Management Comments, and Audit\n  Response\n    Based on management comments, we revised Recommendations 1.c., 2.a., and\n    2.b.\n\n    1. We recommend that the Chief Information Officer, DoD, Assistant\n    Secretary of Defense (Command, Control, Communications, and\n    Intelligence):\n\n           a. Clarify and enhance the criteria and approach to be used by DoD\n    Components for determining whether major automated information systems\n    are developed in accordance with the Clinger-Cohen Act of 1996.\n\n           b. Strengthen Chief Information Officer oversight processes,\n    including the process for certifying that major automated information\n    systems are developed in accordance with the Clinger-Cohen Act of 1996, by\n    periodically confirming the accuracy and adequacy of information reported\n    by DoD Components.\n\n          c. In coordination with the Director, Civilian Personnel\n    Management Service, ensure the implementation of standard DoD\n    performance measures for the Defense Civilian Personnel Data System.\n\n           d. Provide oversight of the Defense Civilian Personnel Data System\n    program acquisition and management responsibilities performed by the\n    Civilian Personnel Management Service during Phase III and enforce the\n    requirements of the acquisition decision memorandum.\n\n    Management Comments. The Acting Deputy Assistant Secretary (Deputy\n    CIO) concurred with Recommendations 1.a., 1.b., and 1.d. Regarding\n    Recommendation 1.a., the Deputy CIO agreed that better CCA compliance\n    guidelines and standards were needed and planned to partner with DoD\n    Components and Office of the Secretary of Defense oversight organizations to\n    develop the guidelines and standards. In response to Recommendation 1.b., the\n    Deputy CIO cited recent changes to DoD acquisition policy that require DoD\n    officials to provide CCA certification or confirmation in a number of areas.\n    The Deputy CIO also restated the intent to develop certification guidelines and\n    standards. As to Recommendation 1.d., the Deputy CIO stated that DCPDS\n    acquisition and management will continue to be overseen throughout Phase III to\n    ensure compliance with the acquisition decision memorandum.\n\n    The Deputy CIO nonconcurred with Recommendation 1.c. in the draft report,\n    stating that implementation of performance measures was more appropriately a\n    responsibility of the Under Secretary of Defense (Personnel and Readiness).\n\n\n\n\n                                      18\n\x0cAlthough not required to comment, the Acting Assistant Secretary of Defense\n(Force Management Policy) and the Director, Civilian Personnel Management\nService, jointly provided comments on the recommendations. For the complete\ntext of their comments, see the Management Comments section of this report.\n\nAudit Response. The comments of the Deputy CIO were partially responsive\non Recommendations 1.a., 1.b., and 1.d. For Recommendation 1.a., The\nDeputy CIO stated that CCA compliance guidelines and standards would be\ndeveloped, but did not include an anticipated completion date. Accordingly, we\nrequest additional comments on the anticipated completion date of planned\nactions. Regarding Recommendation 1.b., management comments were not\nresponsive to the intent of the recommendation. To avoid providing Congress\nand other organizations with potentially misleading information regarding\nClinger-Cohen compliance of DoD information systems, the CIO should take\nsteps to ensure that the information provided by DoD Components is accurate\nand objective. Accordingly, we request additional comments explaining how\nthe DoD CIO will periodically confirm the accuracy and adequacy of\ninformation reported. We also request the completion date of actions planned.\nFor Recommendation 1.d., the Deputy CIO did not describe how the Office of\nthe DoD CIO will continue to oversee the DCPDS program acquisition and\nmanagement responsibilities performed by the CPMS during Phase III. We\nrequest additional comments that describe the plan of action for continued\noversight during Phase III and provide the anticipated completion date for\nenforcement of the ADM requirements.\n\nIn response to management comments on the draft recommendations, we revised\nRecommendation 1.c. to more appropriately place implementing responsibilities\nfor performance measurements on the Director, CPMS, and coordination and\noversight responsibilities on the CIO. Accordingly, we request that the CIO\nprovide additional comments on the revised recommendation that include an\naction plan and an anticipated completion date for the implementation of\nstandardized performance measures.\n\n2. We recommend that the Director, Civilian Personnel Management\nService:\n\n      a. Appropriately secure all interfaces between the Defense Civilian\nPersonnel Data System and other automated systems.\n\n       b. Develop, and make readily and easily available to Defense\nCivilian Personnel Data System users, guidance to adequately define\npassword characteristics and procedures to avoid unauthorized use of\nterminals and to mark sensitive data appropriately.\n\nManagement Comments. The Acting Assistant Secretary of Defense (Force\nManagement Policy) and the Director, Civilian Personnel Management Service,\nindicated nonconcurrence with both recommendations and stated that the\nDCPDS interfaces were appropriately secure and would be monitored\nthroughout deployment. Management also stated that because the Designated\nApproving Authority had already accepted the system risks and mitigating\ncircumstances for DCPDS, a delay in deployment was unwarranted and\n\n\n                                  19\n\x0cunnecessary. Additionally, CPMS had coordinated with the Defense Finance\nand Accounting Service on the single interface (two-way data feed) between\nDCPDS and the payroll system. The Defense Finance and Accounting Service\nhad no plans to encrypt this data.\n\nAudit Response. We met with CPMS officials on February 1, 2001, to discuss\nour draft recommendations. We initiated the meeting to clarify our position and\nconcerns. Regarding Recommendation 1.a., we identified five DCPDS\ninterfaces, (which we define as any exchange of data between systems,\nregardless of whether the exchange is one- or two-way), that had not been\nconsidered during formal documented DCPDS risk analyses. We provided\nCPMS officials with a list of the specific unprotected interfaces and provided\nsuggestions that would minimize the associated risks of sending unsecured data,\npasswords, and user identifications over the Internet. Potential consequences\nincluded unauthorized access to sensitive data, data alteration, access to system\nlogin accounts, and the introduction of viruses or Trojan horses to the system.\n\nAlso at that meeting, CPMS officials expressed reluctance to include detailed\nguidance on passwords in the DCPDS Users Manual. They felt that because the\nUsers Manual was web-based, detailed password composition guidance was not\nappropriate on such an open forum and would pose too much of a security risk.\nWe acknowledged those security concerns, but reiterated that awareness and\ntraining on appropriate security procedures are the first line of defense against\nunauthorized access to the DCPDS information and network of systems. Based\non management concerns, we agreed to no longer require that the enhanced\nguidance be published in the Users Manual. We also agreed to revise\nRecommendation 2.b. to allow for alternate implementation methods, as long as\nCPMS officials documented the needed guidance and requirements and make\nthem readily and easily available to DCPDS users. We also reiterated that\nperiodic security training for DCPDS users will assist in maintaining the\nsecurity of the system. Accordingly, we revised the discussion and\nrecommendation on information assurance in this final report.\n\nBecause the DCPDS Designated Approving Authority recognized and accepted\nthe risks identified, we revised Recommendation 2 to remove the requirement to\ntie further system deployment to implementation of the recommended actions.\nWe request that the Assistant Secretary reconsider our recommendations and\nprovide additional comments.\n\n\n\n\n                                   20\n\x0cAppendix A. Audit Process\n\nScope and Methodology\n    We evaluated the basis for the certification made to Congress in response to\n    section 8121(b) and the effectiveness of oversight provided by the Overarching\n    IPT, the Acquisition Oversight IPT, and the milestone reviews. Specifically,\n    we reviewed the certification process including the compliance report prepared\n    by CPMS, briefing charts used to brief the Deputy CIO on the DCPDS\n    certification process, and the certification report submitted to Congress by the\n    CIO. We discussed various aspects of the DCPDS certification process,\n    procedures, and information provided to Congress with staff of the Director,\n    CPMS, staff of the Director, Program Analysis and Evaluation, and staff of the\n    CIO. We also reviewed the minutes from 18 Acquisition Oversight IPT\n    meetings held from July 1997 to March 2000 and inquired about the oversight\n    provided by the OSD Overarching IPT. We determined whether program\n    officials prepared key documentation prior to the milestone reviews on May\n    1996 and May 2000, and reviewed the ADMs issued for those two milestone\n    reviews. We also determined whether the exit criteria provided in the May\n    1996 and May 2000 ADMs were well-defined and enforced by the MDA and his\n    staff. Finally, we reviewed the actions taken in response to prior audits and\n    reviews of the DCPDS Program.\n\n    DoD-Wide Corporate Level Government Performance and Results Act\n    Coverage. In response to the Government Performance Results Act, the\n    Secretary of Defense annually establishes DoD-wide corporate level goals,\n    subordinate performance goal, and performance measures. This report pertains\n    to achievement of the following goals and subordinate performance goal.\n\n    \xe2\x80\xa2   FY 2001 DoD Corporate Level Goal 2: Prepare now for an uncertain\n        future by pursuing a focused modernization effort that maintains U.S.\n        qualitative superiority in key warfighting capabilities. Transform the force\n        by exploiting the Revolution in Military Affairs, and reengineer the\n        Department to achieve a 21st century infrastructure. (01-DoD-2)\n\n    \xe2\x80\xa2   FY 2001 DoD Subordinate Performance Goal 2.5: Improve DoD\n        financial and information management. (01-DoD-2.5)\n\n    DoD Functional Area Reform Goals. Most major DoD functional areas have\n    also established performance improvement reform objectives and goals. This\n    report pertains to achievement of the following functional area objectives and\n    goals:\n\n    \xe2\x80\xa2   Information Technology Management Functional Area.\n        Objective: Become a mission partner. Goal: Serve mission information\n        users as customers. (ITM-1.2)\n\n\n\n                                        21\n\x0c    \xe2\x80\xa2   Information Technology Management Functional Area.\n        Objective: Provide services that satisfy customer information needs.\n        Goal: Modernize and integrate Defense information infrastructure.\n        (ITM-2.2)\n\n    \xe2\x80\xa2   Information Technology Management Functional Area.\n        Objective: Provide services that satisfy customer information needs.\n        Goal: Upgrade technology base. (ITM-2.3)\n\n    \xe2\x80\xa2   Information Technology Management Functional Area.\n        Objective: Reform information technology management processes to\n        increase efficiency and mission contribution. Goal: Institutionalize\n        provisions of the Information Technology Management Reform Act of 1996,\n        (renamed as the Clinger-Cohen Act of 1996). (ITM 3.1)\n    General Accounting Office High-Risk Area. The General Accounting Office\n    has identified several high-risk areas in DoD. This report provides coverage of\n    the Information Management and Technology high-risk area.\n\n    Use of Computer-Processed Data. We did not use computer-processed data to\n    perform this audit.\n\n    Use of Technical Assistance. We received technical assistance from a\n    computer engineer in the Technical Assessment Division, Audit Followup and\n    Technical Support Directorate. The computer engineer reviewed DCPDS\n    documentation on information security and testing. Specifically, the computer\n    engineer reviewed the Test and Evaluation Master Plan, the Qualification\n    Operational Test and Evaluation Final Report, the Security Test and Evaluation\n    Report, and the System Security Authorization Agreement.\n\n    Audit Type, Dates, and Standards. We performed this economy and\n    efficiency audit from May through December 2000, in accordance with auditing\n    standards issued by the Comptroller General of the United States, as\n    implemented by the Inspector General, DoD. We comply with Government\n    Auditing Standards except for the requirement for an external quality control\n    review. Measures have been taken to obtain an external quality control review.\n\n    Contacts During the Audit. We visited or contacted individuals and\n    organizations within DoD. Further details are available upon request.\n\nPrior Coverage\n    General Accounting Office\n    GAO/AIMD-99-20 (OSD Case No. 1719) \xe2\x80\x9cDefense IRM: Alternatives Should\n    Be Considered in Developing the New Civilian Personnel System,\xe2\x80\x9d\n    January 1999.\n\n\n\n                                       22\n\x0cInspector General, DoD\nInspector General, DoD, Report No. 98-127 \xe2\x80\x9cInformation Assurance of the\nDefense Civilian Personnel Data System - Navy,\xe2\x80\x9d April 29, 1998.\n\nInspector General, DoD, Report No. 98-082, \xe2\x80\x9cInformation Assurance of the\nDefense Civilian Personnel Data Service,\xe2\x80\x9d February 23, 1998.\n\nInspector General, DoD, Report No. 98-041 \xe2\x80\x9cAcquisition Management of the\nDefense Civilian Personnel Data System,\xe2\x80\x9d December 16, 1997.\n\n\n\n\n                                 23\n\x0cAppendix B. Defense Civilian Personnel Data\n            System\n   Based on a 1994 study, DoD decided to replace multiple, mainframe-based\n   personnel management support systems with a single, standard DoD system to\n   better support personnel operations approximately 800,000 defense civilian\n   personnel. Improving the efficiency of DoD civilian personnel processes and\n   increasing the overall cost-effectiveness of personnel operations were the\n   primary objectives for developing a modern DoD civilian personnel system.\n   The Director, CPMS, tasked to achieve those objectives, developed a functional\n   program with two primary and complementary thrusts. Personnel operations\n   costs would be reduced through regional operations centers, and DCPDS would\n   be developed to provide enhanced, DoD-wide automated support for civilian\n   personnel management offices.\n\n   Under regionalization, civilian personnel operations were consolidated into\n   22 Regional Service Centers and more than 300 Customer Support Units. The\n   Regional Service Centers performed several personnel management processes on\n   a centralized, more economical basis, while Customer Support Units provided\n   routine personnel management services on a face-to-face basis at DoD\n   installations. The DCPDS would provide an automated improvement to\n   personnel management processes and convert many paper-based civilian\n   personnel transactions to electronic transactions. When fully deployed, DCPDS\n   would provide the software application tools and the requisite hardware to\n   support civilian personnel mission requirements for all DoD Components.\n\n   The DCPDS would also provide different levels of support capability for\n   regional and local civilian personnel management offices. Because the Regional\n   Service Centers perform a greater variety of personnel management functions,\n   they would receive the full suite of DCPDS software and a commensurate level\n   of hardware. The Customer Support Units would receive a version of the\n   DCPDS commensurate with the scope of their operations. The basic design of\n   the system was a client-server architecture. Data entered into the system at the\n   Customer Support Units would update records located at the Regional Service\n   Centers. The database of records for each DoD civilian employee would reside\n   at their respective Regional Service Center. CPMS also developed a\n   centralized, DoD-wide Corporate Management Information System for\n   DoD-wide reports and ad-hoc inquiry purposes. DCPDS modernization will cut\n   personnel requirements, reduce processing time, eliminate redundant data entry,\n   and eliminate the use of multiple databases.\n\n   The Director, CPMS, expected the DCPDS to enhance productivity by requiring\n   fewer field employees and providing personnel specialists with the ability to\n   service greater numbers of customers. At the end of FY 1994, one personnel\n   specialist serviced 66 employees; in 2001, one personnel specialist would be\n\n\n\n                                      24\n\x0cexpected to service 88 employees. Expected nonquantifiable benefits included\nproviding improved data to the DoD payroll system and a more responsive,\nopen-systems environment.\n\nStatus and Estimated Costs of the DCPDS Program. The DCPDS Program,\nwhich was initiated on December 5, 1994, received Milestone 0 approval on\nMay 22, 1995. A conditional Milestone I approval occurred on May 20, 1996,\nand a conditional Milestone III approval was granted on May 19, 2000.\nDCPDS was initially deployed to a few test sites in 1999. The DCPDS\nProgram\xe2\x80\x99s estimated life-cycle costs from FY1995 through FY2010 total about\n$1.3 billion. By May 2001, CPMS had deployed DCPDS core systems to five\nsites and expanded testing at six test sights. CPMS plans to deploy DCPDS to\nthe remaining 15 systems by September 2001.\n\n\n\n\n                                  25\n\x0cAppendix C. Timeline of Major DCPDS\n            Program Documentation\n\n\nMarch 15, 1995       Mission Needs Statement\n\nMay 22, 1995         Milestone 0 Approval\n\nJune 1995            Original Acquisition Program Baseline\n\nOctober 1995         Original Operational Requirements Document\n\nOctober 1995         Original Test and Evaluation Master Plan\n\nJanuary 17, 1996     1996 Economic Analysis\n\nMay 20, 1996         Conditional Milestone I Approval\n\nOctober 3, 1996      Initial Operational Requirements Document Approval\n\nSeptember 29, 1997   1997 Economic Analysis\n\nFebruary 25, 1998    Initial Acquisition Program Baseline Approval\n\nSeptember 20, 1998   1998 Economic Analysis\n\nOctober 15, 1998     Acquisition Program Baseline, Revision 1\n\nJanuary 9, 1999      Initial Test and Evaluation Master Plan Approval\n\nOctober 11, 1999     Acquisition Program Baseline, Revision 2\n\nNovember 23, 1999    Revised Operational Requirements Document\n\nJanuary 2000         1999 Economic Analysis\n\nMay 10, 2000         Section 8121(b) Certification\n\nMay 19, 2000         Conditional Milestone III Approval\n\n\n\n\n                        26\n\x0cAppendix D. Summary of Management\n            Comments on the Finding and\n            Audit Response\n   Acting Assistant Secretary of Defense (Force Management Policy)\n   Comments. The Assistant Secretary disagreed with several parts of the finding\n   and supporting discussion, and stated that the draft report seemed to concentrate\n   on the DCPDS and to evaluate the actions of its managers rather than address\n   Clinger-Cohen certification. The Assistant Secretary also disagreed with our\n   discussions related to business process reengineering, analysis of alternatives\n   and economic analysis, and performance measures.\n\n   Regarding business process reengineering, the Assistant Secretary nonconcurred\n   that CPMS officials did not critically examine and redesign their mission\n   delivery processes, as a whole, before deciding to invest in DCPDS. Citing a\n   deliberate decision to incrementally implement new processes to avoid\n   disruption of ongoing civilian personnel support operations and binding Federal\n   rules and regulations, the Assistant Secretary stated that although sudden and\n   dramatic change may not have been achieved, DCPDS had, nonetheless,\n   dramatically changed the fundamental way in which DoD delivers civilian\n   personnel services.\n\n   Concerning the adequacy of analysis of alternatives and economic analysis, the\n   Assistant Secretary disagreed that DoD had no conclusive evidence that its\n   investment in DCPDS was optimal. Cost was only one factor considered in\n   evaluating and selecting program approaches. Additionally, the Assistant\n   Secretary stated that we did not acknowledge that GAO representatives\n   indicated, in July 1999, that it was too late in the program to determine whether\n   the selection of the Oracle product was optimal. Further, a projected return on\n   investment of 72.6 percent indicated that investment in DCPDS was worthwhile.\n   As to performance measures, the Assistant Secretary believed our assessment to\n   be premature and did not reflect DoD ongoing efforts. Citing those ongoing\n   efforts to establish standardized performance measures with standard definitions,\n   the Assistant Secretary recommended that we revise our discussion on\n   performance measures.\n\n   On the discussion of key documentation for milestone reviews, the Assistant\n   Secretary disagreed that key acquisition documents were not prepared or were\n   not prepared and approved in a timely manner, and were not regularly updated.\n   Acknowledging that the coordination of some documents, especially the\n   acquisition program baseline, operational requirements document, and test and\n   evaluation master test plan, took an extensive amount of time, copies of all\n   required program documentation were provided to oversight officials prior to\n   each milestone review. Further, the official publication and signature dates\n   were not indicative that DCPDS officials worked in isolation from oversight\n   bodies. The Assistant Secretary stated that documents rarely changed between\n   versions and oversight officials were fully aware of the process required for\n   coordination and were satisfied with the coordination progress made.\n\n\n                                      27\n\x0cConcerning our discussion of whether the conditional Milestone I approval was\nnullified because the conditions of the ADM were not met, the Assistant\nSecretary stated that approved documents were submitted as required and the\nMilestone I decision was not nullified.\n\nThe Assistant Secretary also disagreed that that CIO management controls for\noverseeing the DCPDS development did not provide active oversight\nparticipation and involvement by senior DoD advisors at key decision points or\nadequate and ongoing direction and guidance to the DCPDS Program. Their\nrepresentatives on the Acquisition Oversight IPT kept members of the\nOverarching IPT aware of DCPDS acquisition status and potential problems.\nFurther, the Deputy Assistant Secretary of Defense (Civilian Personnel Policy)\nand the Director, CPMS, met with Overarching IPT members several times to\ndiscuss key program decisions.\nAdditionally, the Assistant Secretary recommended that the costs of\nregionalization and systems modernization be differentiated in our discussion of\nestimated costs of the DCPDS Program in Appendix B. Further, changes\nshould be made to Appendix C, Timelines of Major DCPDS Program\nDocumentation, to more clearly show when selected key documents were first\ndeveloped and approved by CPMS.\n\nAudit Response. The audit and the report\xe2\x80\x99s focus was on the DoD CIO\xe2\x80\x99s\nunqualified certification and the effectiveness of DoD CIO oversight of the\nDCPDS Program rather than on DCPDS management actions. We determined\nwhether the DoD CIO had sufficient basis to certify that selected systems were\ndeveloped in accordance with the CCA. To evaluate the oversight process of\nmajor automated information systems for compliance with the DoD\nimplementation of CCA, we reviewed the process, procedures, and supporting\nprogram documentation of a system that was certified as being developed in\naccordance with the CCA.\n\nWe amended our discussion of previously identified issues to more clearly show\nthat many issues were decided before the CCA was legislated. We also clarified\nthat, as stated in the January 1999 GAO report, the principles set forth in the\nCCA were not new, but merely reiterated and reinforced existing Office of\nManagement and Budget and DoD information system development and\nmanagement policies. Based on management comments and reconsideration of\nother factors, we revised the discussion of business process reengineering to\nreflect that related efforts met the intent of the CCA. We also amended our\ndiscussions of analysis of alternatives and economic analysis, and performance\nmeasures. However, we did not change our related conclusions. For analysis\nof alternatives, although minimal documentation was available, it simply did not\nprovide conclusive economic evidence that the commercial software obtained\nrepresented the best investment alternative. Regarding performance measures\nand ongoing efforts to institutionalize standard measurements, the CPMS had\nnot implemented DoD-wide standardized functional performance measures.\n\n\n\n\n                                   28\n\x0cUntil that occurs, DoD continues to incur a risk of having to compare disparate\ninformation in assessing DCPDS performance gains by the functional\ncommunity.\n\nRegarding the Assistant Secretary\xe2\x80\x99s comments on key acquisition\ndocumentation, we revised the report to clarify the need for coordination and\nobtaining approvals from DoD organizations other than CPMS for various key\nacquisition documents. However, the management comments did not alter our\nconclusion that, for DCPDS, the CIO did not ensure that key documentation was\nappropriately prepared and approved for consideration during milestone\nreviews. Additionally, we take exception to the Assistant Secretary\xe2\x80\x99s implying\nthat delays in submitting appropriately approved documents were tacitly\napproved. Documented direction from the DoD CIO does not support that\ncontention. The Milestone I approval occurred in May 1996, and the associated\nADM specified that an approved acquisition program baseline be provided\nwithin 60 days. In July 1997, and again in October 1997, the chair of the Major\nAutomated Information Systems Review Council formally emphasized to CPMS\nmanagers the need for an approved acquisition program baseline document.\nFurther, we noted that the Assistant Secretary did not comment on other key\nacquisition documentation discussed in the report, such as an implementation\nrisk analysis and mediation plan or an approach for resolving DCPDS\noperational test and evaluation issues, which the CIO should be expected to\nrequire for consideration during the Milestone III review. In regard to whether\nthe DCPDS Milestone I conditional approval was nullified, because the required\ndocumentation was not fully and appropriately approved within the required\ntimeframe and because no final Milestone I decision was documented, we\nconclude that the matter is uncertain.\n\nAs to the adequacy of oversight IPTs, the draft report recognized their\ninvolvement in milestone decisions and the ongoing monitoring and tracking of\nDCPDS activities and events. However, we continue to question whether the\nOverarching IPTs can provide effective advice to the CIO during milestone\ndecisions if they never actually meet to review program progress and ensure that\nthe program appropriately \xe2\x80\x9cfits\xe2\x80\x9d into higher level DoD initiatives and\nconsiderations. In addition, we continue to question the effectiveness of the\nAcquisition Oversight IPT in making sure that DoD acquisition policies and\ndirection are effectively implemented by DCPDS and other major DoD\ninformation technology programs.\n\nIn this final report, we amended Appendixes B and C to address the suggestions\nof the Assistant Secretary.\n\nActing Deputy Assistant Secretary of Defense (Deputy CIO) Comments.\nThe Deputy CIO disagreed with each factor we cited in the Finding (page 5) as\ncontributing to an insufficient basis for the unconditional certification of\nDCPDS. The Deputy CIO stated that although draft procedures were used to\ndevelop, coordinate, and review the DCPDS certification, the certification was\nnot adversely impacted by the use of draft procedures. As to previously\nidentified CCA compliance issues not being fully resolved, the Deputy CIO\nindicated that the report did not appropriately recognize that the CCA did not\nexist when relevant decisions were made. Concerning the adequacy of data\n\n\n                                   29\n\x0canalysis for certification, the Deputy CIO cited the involvement of the CCA\nWorking Integrated Product Team during the certification review and asserted\nthat the data submitted for each interest item were analyzed and found to\nadequately support CCA certification. Regarding the appropriate preparation,\napproval, and updating of key acquisition documents, the Deputy CIO stated\nthat DoD senior officials in support of DCPDS approved all key acquisition\ndocumentation in accordance with acquisition directives and regulations. Citing\nthe need for extensive coordination of some documents, the Deputy CIO\nacknowledged delays but stated that acquisition oversight officials were always\naware of the status of key acquisition documents.\n\nThe Deputy CIO disagreed that milestone exit criteria were not well-defined or\nsufficiently tracked and enforced, stating that milestone exit criteria were\nprepared in accordance with DoD acquisition guidance and that DoD CIO\nacquisition oversight staff and the Acquisition Oversight IPT monitored and\nactively tracked MDA decisions. The Deputy CIO disagreed that management\ncontrols for overseeing the DCPDS development were ineffective in providing\nactive participation and involvement by senior DoD officials or in providing\nadequate and ongoing direction and guidance to the DCPDS Program. Senior\nlevel involvement was achieved via feedback received from their representatives\non the Acquisition Oversight IPT. Further, in accordance with DoD acquisition\nguidance, the Acquisition Oversight IPT resolved as many issues as possible,\nand elevated remaining issues to the DoD CIO who issued ADMs to provide\nongoing program direction and guidance. Lastly, citing DoD guidance issued in\nMay 1997 (see page 53) and the previously discussed certification guidance\nissued in July 2000, the Deputy CIO disagreed that DoD had not established\nspecific criteria for or defined a common approach to evaluating the basis for\nCCA certification.\n\nAudit Response. In several cases, the Deputy CIO comments paralleled those\nprovided by the Assistant Secretary. The audit response from the Assistant\nSecretary also addressed the Deputy CIO comments concerning the factors that\ncontributed to an insufficient basis for unconditional certification of DCPDS.\nAs such, we have limited this audit response to the unique aspects of comments\nmade by the Deputy CIO.\n\nRegarding the use of draft procedures for DCPDS certification, we believe that\nofficial guidance is preferable to draft guidance because there is no question as\nto its applicability. However, in considering management comments, we agree\nthat the use of draft procedures during the DCPDS certification process did not\nmaterially affect the validity of the certification. Accordingly, we removed the\nuse of draft certification procedures as a cause of the insufficient basis for an\nunqualified certification by the CIO.\n\nConcerning the adequacy of data analysis for certification, we do not understand\nthe basis for the CIO assertion that the relevant data was analyzed and found to\nadequately support certification. The draft report recognized that the DCPDS\ncertification review team, in briefing the DoD CIO, presented qualified\nconfirmations of steps taken for business process reengineering, analysis of\nalternatives, and performance measures, because the GAO previously identified\n\n                                    30\n\x0cproblems in those areas. The review team recommended certification because\nCPMS had initiated action to address GAO concerns. However, we found no\ndocumentation of the review team\xe2\x80\x99s action to review and verify the extent or\nreasonableness of CPMS actions. The GAO report provided ample indicators\nthat DCPDS had not been developed in accordance with the intent of the CCA.\nAlthough it was too late in the DCPDS development process to apply all CCA\nprinciples, the CIO certification report should have acknowledged that fact and\nappropriately qualified the CCA certification.\n\nAs discussed in the report, we do not agree with the Deputy CIO assertion that\nkey acquisition documents were appropriately approved and submitted for MDA\nconsideration prior to the Milestone I or Milestone III reviews.\n\nThe report acknowledges that the CIO issued guidance on CCA certification.\nHowever, as further discussed in the report, the guidance was very broad and\ndid not provide specific criteria to evaluate CCA compliance by DoD\nComponents. Additionally, no common approach for determining CCA\ncompliance was specified. The CIO needs to issue specific criteria so that\noversight organizations and functional proponents can ensure that programs,\nsuch as DCPDS, are consistently and sufficiently assessed as to their compliance\nwith the intent of the CCA.\n\n\n\n\n                                   31\n\x0cAppendix E. Report Distribution\n\nOffice of the Secretary of Defense\nUnder Secretary of Defense for Acquisition, Technology, and Logistics\nUnder Secretary of Defense (Comptroller)/Chief Financial Officer\n  Deputy Chief Financial Officer\n  Deputy Comptroller (Program/Budget)\n  Director, Program Analysis and Evaluation\nAssistant Secretary of Defense (Command, Control, Communications, and Intelligence)\n  Deputy Assistant Secretary of Defense (Deputy Chief Information Officer)\n      Director, Investment and Acquisition\nAssistant Secretary of Defense (Force Management Policy)\n  Deputy Assistant Secretary of Defense (Civilian Personnel Policy)\n      Director, Civilian Personnel Management Service\n\nDepartment of the Army\nAuditor General, Department of the Army\n\nDepartment of the Navy\nNaval Inspector General\n\nDepartment of the Air Force\nAssistant Secretary of the Air Force (Acquisition)\nAssistant Secretary of the Air Force (Financial Management and Comptroller)\nAuditor General, Department of the Air Force\n\nOther Defense Organizations\nDefense Logistics Agency\n\nNon-Defense Federal Organizations\nOffice of Management and Budget\n\n\n\n\n                                          32\n\x0cCongressional Committees and Subcommittees, Chairman and\n  Ranking Minority Member\nSenate Committee on Appropriations\nSenate Subcommittee on Defense, Committee on Appropriations\nSenate Committee on Armed Services\nSenate Committee on Governmental Affairs\nHouse Committee on Appropriations\nHouse Subcommittee on Defense, Committee on Appropriations\nHouse Committee on Armed Services\nHouse Committee on Government Reform\nHouse Subcommittee on Government Management, Information, and Technology,\n  Committee on Government Reform\nHouse Subcommittee on National Security, Veterans Affairs, and International\n  Relations, Committee on Government Reform\nHouse Subcommittee on Technology and Procurement Policy, Committee on\n  Government Reform\n\n\n\n\n                                       33\n\x0c\x0cAssistant Secretary of Defense (Command,\nControl, Communications, and Intelligence)\nComments\n\n\n\n\n                   35\n\x0cFinal Report\n Reference\n\n\n\n\nDeleted,\npage 5\n\n\n\n\n               36\n\x0c37\n\x0c38\n\x0c39\n\x0c40\n\x0c     Final Report\n      Reference\n\n\n\n\n      Revised,\n      page 18\n\n\n\n\n41\n\x0c42\n\x0c43\n\x0c44\n\x0c45\n\x0c46\n\x0c47\n\x0c48\n\x0c49\n\x0c50\n\x0c51\n\x0c52\n\x0c53\n\x0c54\n\x0c55\n\x0c56\n\x0c57\n\x0c58\n\x0c59\n\x0c60\n\x0c61\n\x0c62\n\x0cAssistant Secretary of Defense (Force\nManagement Policy) Comments\n\n\n\n\n                    63\n\x0c64\n\x0c     Final Report\n      Reference\n\n\n\n\n     Page 5\n\n\n\n\n65\n\x0cFinal Report\n Reference\n\n\n\n\n  Revised,\n  Page 5\n\n\n\n\n               66\n\x0c67\n\x0c68\n\x0c69\n\x0cFinal Report\n Reference\n\n\n\n\nPages 18\nthrough 19\n\n\n\n\nRevised,\npage 19\n\n\n\n\n               70\n\x0c     Final Report\n      Reference\n\n\n\n\n        Revised,\n        page 19\n\n\n\n\n71\n\x0cFinal Report\n Reference\n\n\n\n\n Page 6\n\n\n\n Revised,\n page 7\n\n\n\n\n Revised,\n page 7\n\n\n\n\n               72\n\x0c     Final Report\n      Reference\n\n\n\n\n     Pages 7\n     through 8\n\n\n\n\n73\n\x0cFinal Report\n Reference\n\n\n\n\n Page 8\n\n\n\n\n Revised,\n page 11\n\n\n\n\n               74\n\x0c     Final Report\n      Reference\n\n\n\n\n      Revised,\n      page 12\n\n\n\n\n      Revised,\n      page 16\n\n\n\n\n75\n\x0cFinal Report\n Reference\n\n\n\n\nRevised,\npage 25\n\n\n\n\nRevised,\npage 26\n\n\n\n\n               76\n\x0cAudit Team Members\nThe Acquisition Management Directorate, Office of the Assistant Inspector General for\nAuditing, DoD, prepared this report. Personnel of the Office of the Assistant Inspector\nGeneral, DoD, who contributed to the report are listed below.\n\nMary L.Ugone\nWanda A. Hopkins\nJames W. Hutchinson\nVirginia B. Rogers\nJames B. Mitchell\nJerry Hall\nKevin W. Klein\nGenea S. Pack\nPeter C. Johnson\nJacqueline N. Pugh\n\x0c'